Carelessness threatens privacy

Three stories from the BBC today demonstrate, as if demonstration were necessary, that carelessness with IT storage media can easily expose the personal data of thousands of individuals to the potential of identity theft:

1. The Driver and Vehicle Agency in Northern Ireland lost 2 disks containing details of 6,000 people en route to its headquarters in Swansea.

2. Leeds Building Society mislaid personal details of 1,000 employees while moving the HR department from one floor to another.

3. A Merseyside health care trust "accidentally" sent out personal details on thousands of staff to four medical organisations bidding to supply the trust.

If the data involved had been printed out, I suspect those involved would have taken more care with the filing cabinets or boxes of paper but CD-ROMs or DVDs seem so insignificant.

Security policies, procedures and guidelines, coupled with effective security awareness activities and staff training, are obvious controls for such situations, along with encryption of anything confidential and care over the encryption keys.

Yet another redaction failure

... this time it reveals the face of a man accused of sexually abusing boys in Vietnam and Cambodia. Photos of the man were redacted using a swirly filter effect that police somehow reversed. The resulting image is clearer than most CCTV snaps we see on TV crime watch programs.

Presumably the same kind of techniques would work on similarly redacted digital photos of vehicle license plates, associates of criminals and so forth. Provided there is sufficient original data in the redacted image, and provided the manipulation can be reversed without too much data loss, it's feasible.

Stories about un-redacting documents by cutting-and-pasting the original words from 'beneath' black boxes crudely added to PDFs etc. are simply passé.

The take home lesson for today is this: if something needs to be redacted, do it properly by removing, not just manipulating or covering the original data. There's a lot to be said for the 'print out -> obliterate with marker pen -> scan -> load' method.

UPDATE: a man has been arrested in Bangkok following release of the unredacted photo.

Top secret NSA data lost on thumb drive

It's not A Good Idea to lose a USB memory stick containing top secret data from the NSA, even if you are a foreign citizen working at the Hague in Holland.

Similarly, it's not A Good Idea to shred your top secret papers with a plain cut shredder and hand the shreddings to an untrustworthy Taiwanese courier.

Security awareness success in the US Army

Details of audits of US Army websites and blogs run by soldiers, disclosed under the Freedom of Information Act, reveals that far more security policy breaches occur on official Department of Defense websites than on blogs. The audits were conducted by the Army Web Risk Assessment Cell, a special unit with a remit (evidently) to minimize unauthorized disclosure of sensitive military information via the Web.

It seems to me the Army was absolutely right to highlight the information security risks relating to blogging. I believe the audit results reflect the outcome of a highly successful security awareness program. If this issue had not been addressed so effectively, I'm convinced there would have been far more noncompliance issues, in other words this is a lesson to us all.

In respect of security awareness programs and policy compliance, 'the military' have a significant advantage over most of us in that the workforce is specifically trained to respect authority and follow orders - or at least, that is the classical view. In fact, I understand modern soldiers are increasingly being taught to think for themselves and operate autonomously, albeit within a highly structured (literally 'regimented') operating framework and, when necessary, at gunpoint. The traditional approach to the blogging security issue would presumably have been to send out an order banning blogging. What actually happened was more subtle: Army bloggers were instructed to register their blogs with commanding officers and pre-clear what they publish. 'Blog responsibly' is a rather softer message but the audit results seem to indicate its effectiveness in this situation.

The Ferrari-McLaren espionage case continues

Autosport brings together all the news on the Ferrari-McLaren spy story on one handy page. The FIA and court action continues off the track. Did McLaren bosses know their Chief Designer was in possession of Ferrari's trade secrets? And if Ferrari bosses were suspicious of Nigel Stepney for months, how come they didn't suspend him much earlier?

New awareness module on protecting trade secrets

Continuing the flow of innovative security awareness materials, we have released another completely new NoticeBored Classic module about protecting trade secrets. This module complements and extends May’s module on insider threats and June’s on privacy and data protection. Organizations need to protect valuable information assets including sensitive commercial or proprietary information such as descriptions of their unique business processes and ingredients, customer lists, product and corporate development plans, financial models and results. The module looks at practices ranging from competitive intelligence at one end of the ethics/legality scale to industrial espionage and information warfare at the other, covering all points in between. It’s important to realize that competitors may not share our moral values and respect for the law so do pay attention: forewarned is forearmed!

Foreign spies in America

2006 Technology Collection Trends in the U.S. Defense Industry, an unclassified report released in June 2006 by the US Defense Security Service Counterintelligence Office, notes espionage incidents involving 106 foreign countries in 2005 (up from 90 the year before), a handful of which are briefly outlined in the appendix. Information systems are not surprisingly the most frequent targets for those seeking, um, information. The body of the report summarizes typical spy tactics and presents countermeasures in succinct tables like the one shown above. The same tactics and countermeasures apply whether the targets are military secrets or proprietary IP - in fact, they are often one and the same (so-called 'economic espionage').

More IPR resources

Untrustworthy insiders

A very public industrial espionage case involving allegations that an employee tried to sell proprietary information from Coca-Cola to Pepsi is a timely reminder of the issues arising from trusted insiders. It is alleged that the employee, an administratrive assistant in the marketing function having ready access to highly sensitive information, removed it from the office and offered to sell it to Coke's arch rival. Pepsi presumably alerted the auhorities who ran a 'sting' to catch the alleged perpetrator red-handed. Even with the benefit of 20-20 hindsight, it is unclear what Coke management might reasonably have done to address this risk. Better screening and supervision of employees, maybe? Clearer policies on control of sensitive information in whatever format, e.g. "secret information must not be removed from the office"? An employee who is prepared to offer secrets for sale to a competitor seems unlikely to heed such policies. Better detective and corrective controls might perhaps have identified the exposure before things got out of hand, especially if there were preliminary incidents. Due to the implending court action, there is limited information on the details of the case, for example the news article does not state whether the accused had an exemplary record.
More links on keeping secrets

Economic espionage, a clear and present danger

The latest CSO ezine contains an eye-opening assessment of the risk of 'economic espionage' (a.k.a. industrial espionage or intellectual property theft). Secrets Stolen, Fortunes Lost recounts several case studies and makes the point that traditional security measures are no longer effective in today's e-everything world. Information security threats require different controls, and in turn this requires senior management to update their attitudes towards securing the company's crown jewels. Simply acknowledging the value of their proprietary and personal information would be a good start, let alone recognising the vulnerabilities and impacts of information security breaches.
More IPR resources

Industrial espionage laid bare

As a former NSA employee, Ira Winkler is well known on the speaking circuit for disclosing some of the cloak-and-dagger techniques used by genuine spies. His book, Spies Among Us, should be required reading for all MBA students and managers. Secrets of Superspies, a conference keynote presentation by Ira, has the usual hallmarks of his case-study style plus the analysis to explain why corporate espionage is a realistic probability for any corporation with secrets, patents or other valuable intellectual property and unethical competitors. It's enough to make me even more paranoid.
More confidentiality, social engineering and hacking resources

Trojan used for industrial espionage

A handful of well known companies are caught up in a scandal over the use of a Trojan horse program for industrial espionage against selected targets. The story is a rather sketchy at present but it appears that police discovered the plot following a lead from an Israeli author whose London-based former son-in-law is accused of disclosing parts of a book he was writing. The existence of the Trojan is evidently not in dispute, along with the fact that it was distributed on a 'promotional CD'. The author, however, claims that it is legal and is 'not his fault' if it was misused for illegal/unethical purposes.
More malware and privacy links

Corporate espionage

This slightly xenophobic article nevertheless analyzes the threat of theft of proprietary information. "Experts say that company insiders are a much bigger problem than someone hacking into the system from the outside. 'Seventy-five to 85 percent of all theft per se is done by an insider,' said Julie Snyder, president of the Silicon Valley chapter of the International High Technology Crime Investigation Association."
More confidentiality resources